No. My personal opinion is that it's unnecessary and even counter-productive. I ranted on my blog, but you can hunt that down if you're interested.
In short, it comes down to two reasons:
1. Forcing a user to constantly change their password leads to bad passwords.
There will be no shortage of anecdotal evidence on this, but it makes sense that if I'm forced to remember a new thing every x days, I'll make those things easy to remember, and probably related to each other.
Users are far more likely to choose "guessable" passwords like "Jan2010" or "Password05" if they know it'll have to change soon. Enforcing a strict policy on characters is likely to just result in an added exclamation mark or a fully-spelled name rather than an abbreviation. There's a big difference between a technically complex password and one that won't be guessed.
2. Forcing regular password changes doesn't prevent attacks, it only reduces risk (and not by much)
Think about it - if your password is guessed or discovered somehow, how long would it take an attacker to use that information? Put yourself in the shoes of the attacker. You've just discovered a password. Would you not log in and extract every bit of information you could straight away just in case someone finds out? In 30 days time, you've already got everything you want.
My recommendation:
- Force an exceedingly strict password policy (like 15 characters with upper, lower, numbers, and special characters, with no english words > 3 characters)
- Never make the user change their password. If they have to write the password on a piece of paper and keep it in their wallet, that's actually fine. People are good at securing pieces of paper, but not so good at remembering random strings of characters.